Permissions in Control
Control provides a rich set of privileges. In this way, administrators can always assign the necessary privileges to each role. All available permissions in Flowable Control are grouped into 4 categories:
- Access
- Administration
- Destructive
- Control
Administration and Destructive permissions always require an additional Access permission. Access, Administration and Destructive permissions manage cluster related functions while the Control permissions manage Flowable Control itself. The following sections explain how the different permissions work.
Access Permissions
Each access permission enables/disables the corresponding element in the UI of control. Access permissions are required to execute any kind of request.
List of all the available access permissions:
| Permission | Privilege | Description |
|---|---|---|
| Access dashboard | access-dashboards | Enables users to access report related endpoints and the dashboard menu. |
| Access apps | access-apps | Enables users to access apps related endpoints and the apps menu. |
| Access processes | access-processes | Enables users to access bpmn related endpoints and the processes menu. |
| Access cases | access-cases | Enables users to access cmmn related endpoints and the cases menu. |
| Access forms | access-forms | Enables users to access form related endpoints and the forms menu. |
| Access decisions | access-decisions | Enables users to access decision related endpoints and the decision menu. |
| Access content | access-content | Enables users to access content related endpoints and the content menu. |
| Access event-registry | access-event-registry | Enables users to access event registry related endpoints and the event registry menu. |
| Access templates | access-templates | Enables users to access template related endpoints and the templates menu. |
| Access actions | access-actions | Enables users to access actions related endpoints and the actions menu. |
| Access engage | access-engage | Enables users to access ENGAGE related endpoints and the ENGAGE menu. |
| Access data-objects | access-data-objects | Enables users to access data object related endpoints and the data objects menu. |
| Access services | access-services | Enables users to access services related endpoints and the services menu. |
| Access users | access-users | Enables users to access users related endpoints and the users menu. |
| Access indexes | access-indexes | Enables users to access indexes related endpoints and the indexes menu. |
| Access housekeeping | access-housekeeping | Enables users to access housekeeping related endpoints and the housekeeping menu. |
| Access tenant variables | access-tenant-variables | Enables users to access tenant variables. |
| Access utilities | access-utilities | Enables users to access utilities related endpoints and the utilities menu. |
| Access system-info | access-system-info | Enables users to access system info related endpoints and the system info menu. |
| Access master data | access-master-data | Enables users to access master data related endpoints and the master data instances menu. |
| Access SLAs | access-slas | Enables users to access SLA related endpoints and the SLA menu. |
Administration Permissions
Each admin permission enables the user to call particular actions like deleting definitions or updating instance variables. However, all administration
permissions always require some additional access permission.
Example: The permission Modify instance requires either Access cases or Access
processes.
| Permission | Privilege | Description |
|---|---|---|
| Upload new deployment | upload-new-deployment | Enables users to upload deployment files. |
| Migrate instance | migrate-instance | Enables users to migrate instance to different versions. |
| Modify instance | modify-instance | Enables users to modify instances. |
| Create instance | create-instance | Enables users to create instances. |
| Reindex instance | reindex-instance | Enables users to reindex instances (one instance at a time). |
| Suspend instance | suspend-instance | Enables users to reindex suspend instances. |
| Activate instance | activate-instance | Enables users to activate instances. |
| Manage reindex | manage-reindex | Enables users to reindex all instances at once. |
| Change state | change-state | Enables users to change the state of instances. |
| Change task state | change-task-state | Enables users to change the state of task instances. |
| Trigger event | trigger-event | Enables users to trigger events for instances. |
| Move job | move-job | Enables users to move jobs. |
| Reschedule job | reschedule-job | Enables users to reschedule jobs. |
| Execute job | execute-job | Enables users to execute jobs. |
| Create IDM user | create-idm-user | Enables users to create IDM users. |
| Edit IDM user | edit-idm-user | Enables users to edit IDM users. |
| Edit IDM user definition | edit-idm-user-definition | Enables users to edit IDM user definitions. |
| Create IDM group | create-idm-group | Enables users to create IDM groups. |
| Edit IDM group | edit-idm-group | Enables users to edit IDM groups. |
| Modify sequences | modify-sequences | Enables users to modify sequences. |
| Import master data | import-master-data-instances | Enables users to import master data. |
| Modify tenant-variables | modify-tenant-variables | Enables users to modify tenant variables. |
Destructive Permissions
This category contains all actions that delete or terminate crucial data within the target cluster. Again, all destructive permissions require access permission
to work properly.
Example: The permission Delete instance requires either Access cases or Access processes.
| Permission | Privilege | Description |
|---|---|---|
| Delete deployment | delete-deployment | Enables users to delete deployments. |
| Delete instance | delete-instance | Enables users to delete instances. |
| Terminate instance | terminate-instance | Enables users to terminate instances. |
| Delete job | delete-job | Enables users to delete jobs. |
| Stop housekeeping run | stop-housekeeping-run | Enables users to stop housekeeping runs. |
| Delete housekeeping job | delete-housekeeping-job | Enables users to delete housekeeping jobs. |
| Delete master data | delete-master-data-instances | Enables users to delete master data instances. |
| Schema definition update database | schema-definition-update-database | Enables users to execute database updates on schema definitions. |
| Schema definition rollback database | schema-definition-rollback-database | Enables users to execute database rollbacks on schema definitions. |
| Delete user | delete-idm-user | Enables users to delete users. |
| Delete group | delete-idm-group | Enables users to delete groups. |
| Modify system-info | modify-system-info | Enables users to modify the system information. |
| Delete tenant variables | delete-tenant-variables | Enables users to delete tenant variables. |
Control Permissions
This category contains all permissions that are related to Flowable Control itself. Similar to Access,Administration and Destructive the Control permissions relay on each other.
Example: Access Control Cluster is required to add, edit or delete cluster configuration
| Permission | Privilege | Description |
|---|---|---|
| Add cluster | add-cluster | Enables users to add new cluster configurations. |
| Edit cluster | edit-cluster | Enables users to edit existing cluster configurations. |
| Delete cluster | delete-cluster | Enables users to delete cluster configurations. |
| Assign cluster authorities | assign-cluster-authorities | Enables users to add and remove authorities in the cluster configuration. |
| Create control user | create-user | Enables users to create new Control user. |
| Delete control user | delete-user | Enables users to delete Control user. |
| Edit control user | edit-user | Enables users to edit existing Control user. |
| Assign roles | assign-roles | Enables users to assign Control users to Control roles. |
| Create roles | create-roles | Enables users to create new Control roles. |
| Delete roles | delete-roles | Enables users to delete Control roles. |
| Access control audit | access-control-audit | Enables users to access the audit log. |
| Access control actuator | access-control-actuator | Enables users to access the actuator. |
| Modify license | modify-license | Enables users to modify the license information. |
| Access control users | access-control-users | Enables users to modify the system information. |
| Access control roles | access-control-roles | Enables users to modify the system information. |
| Access control clusters | access-control-clusters | Enables users to access the Control cluster information. |